Code of Practice: A Standard for Information Security Management

The rapid development of networks has caused senior management to reconsider the vulnerabilities of their organisations to information security incidents. Such reconsideration often reveals that the fundamental vulnerabilities lie not with the emerging technology but rather with the lack of an information security infrastructure within the organisation. Appointing a security officer is a common reaction to this situation but the new appointees often find that there is a lack of immediately apparent support form senior management for additional budgets or organisational change and an agreed authoritative source of information security guidelines. The situation has to some extent been addressed by emerging Information Security Management standards such as the BS 7799. This paper discusses the manner in which a security officer may best employ such standards to enhance the level of information security in an organisation. The paper also discusses the fact that the application of the standards reveals the requirements for an organisational security model that may be employed to assist in standards conformance and auditing.